For the U.S. retailer, this news may further erode any movement toward Chip-and-PIN, an effort that had already effectively been stalled by retailer apathy. Despite a push last year by Wal-Mart, retailers have shown almost no interest in making the change. The move in the U.S. toward mobile payment, which is unlikely to be easily compatible with current-day EMV efforts, is the latest Chip-and-PIN roadblock.
This follows up earlier reports about thieves burning a hole in the back of an EMV card reader and a Cambridge University report that EMV was easy to fool.
The Black Hat presentation, made by engineers from Inverse Path and Aperture Labs, said EMV has not kept up with security in the years since it was introduced, giving the cyberthief community time to exploit its weaknesses.
"The chip interface is inherently accessible and not protected by tamper-proof sensors. It is therefore an extremely appealing target to fraudsters and it is nearly impossible for the cardholder [or merchant] to easily verify that the terminal has been tampered [with] and, for this reason, an EMV skimmer could go undetected for a very long time," the group's presentation said. "Is it possible for the backend to detect the CVM downgrade attack? The CVM List tampering results in flipping of the 'SDA failed' status bit presented by the terminal to the backend in the TVR (Terminal Verification Results). However, we do not feel it's realistic for an issuer to block transactions/cards solely on this information as Offline Data Authentication can fail for several legitimate reasons."
The group said there is a way around this flaw, but it has downsides. "A patch would require disabling plaintext PIN verification on POS and ATM firmware, preventing the downgrade attack in the first place. This, of course, would break compatibility with the EMV specification and prevent transactions with SDA cards on terminals that do not have online PIN verification capabilities."
One problem with this is the cost of retailers having less financial exposure—courtesy of the card brands—in that the liability is increased on the consumer. That consumer might then be placed in the joyous position of having to prove a negative.
"The cardholder is assumed to be liable unless they can unquestionably prove they were not present for the transaction, did not authorize the transaction and did not inadvertently assist the transaction through PIN disclosure. PIN verification, with the help of EMV, increasingly becomes 'proof' of cardholder presence. It becomes impossible for the user to verify if the terminal has been tampered with, as the chip interface is not visible (unlike most mag stripe ones for POS terminals). An EMV skimmer could go undetected for a very long time and requires little installation effort."
Andrea Barisani, the chief security engineer at Inverse Path, said the security that does exist is not effective. "The CVV matches the mag stripe only for cards that do not use iCVV, a different stored value to protect against this attack, introduced in January 2008 but not present on all cards," he said. "It is fair to say that the possibility of massive harvesting and being protected by a 3-digit code is not a comforting scenario."
In one EMV country—Canada—mobile payment is likely going to suffer the reverse impact of the U.S. In the U.S., EMV adoption has been all but halted while the community awaits mobile payment.
In Canada, payment officials there say, mobile payment adoption will likely be back-burnered as chains have just recently completed full EMV deployment and will be hesitant to make a near-term shift. As a practical matter, though, this will have little impact. By the time mobile payments are mature enough for wide-scale deployment—probably about three years away—the Canadian merchant community will likely be ready to make the move.